To clarify, I’d like my CI to run all the jobs and pass when run from the main repo. When someone sends a PR from a forked repo, I’d still like the subset of jobs that don’t require secrets to run and CI still to pass.

@paulb777 I checked your PR, you use secrets as the value of environment variables. You could set the env in job level. Then the env could be used in your scripts directly. In bash, use it in syntax $var_name